Avatar of hbaber
hbaber
 asked on

Centos 7 DNS server not replying to clients

What have I missed?  

I am trying to configure a local DNS server in CentOS 7 and It appears that queries from the server are working to outside but clients are not getting responses from local server.  I can see the request coming in via tcpdump but local server isn't performing the query and replying to client.  



From server:
[root@zotac etc]# nslookup
> server
Default server: 10.30.3.5
Address: 10.30.3.5#53
> cnn.com
Server:         10.30.3.5
Address:        10.30.3.5#53

Non-authoritative answer:
Name:   cnn.com
Address: 151.101.64.73
Name:   cnn.com
Address: 151.101.192.73
Name:   cnn.com
Address: 151.101.0.73
Name:   cnn.com
Address: 151.101.128.73

[root@zotac etc]# netstat -lnp | grep named
tcp        0      0 10.30.3.5:53            0.0.0.0:*               LISTEN      10028/named
tcp        0      0 127.0.0.1:953           0.0.0.0:*               LISTEN      10028/named
udp        0      0 10.30.3.5:53            0.0.0.0:*                           10028/named
[root@zotac etc]#

Open in new window



From Windows client:
c:\>nslookup cnn.com.
DNS request timed out.
    timeout was 2 seconds.
Server:  UnKnown
Address:  10.30.3.5

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Request to UnKnown timed-out

Open in new window


Server sees response but not forwarded to forwarding servers
[root@zotac ~]# tcpdump -vvv -s 0 -l -n port 53 -i enp2s0 | grep cnn.com
tcpdump: listening on enp2s0, link-type EN10MB (Ethernet), capture size 65535 bytes
    10.30.3.253.55238 > 10.30.3.5.domain: [udp sum ok] 2+ A? cnn.com. (25)
    10.30.3.253.55239 > 10.30.3.5.domain: [udp sum ok] 3+ AAAA? cnn.com. (25)

Open in new window


I expect to see a query to ext DNS and/or reply from local DNS to client.


[root@zotac etc]# cat named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
acl "trusted" {
 10.30.3.0/24;
};

options {
        //listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query { trusted; };
        allow-transfer { 10.30.3.5;};

        /*
         - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
         - If you are building a RECURSIVE (caching) DNS server, you need to enable
           recursion.
         - If your recursive DNS server has a public IP address, you MUST enable access
           control to limit queries to your legitimate users. Failing to do so will
           cause your server to become part of large scale DNS amplification
           attacks. Implementing BCP38 within your network would greatly
           reduce such attack surface
        */
        recursion yes;

        dnssec-enable no;
        dnssec-validation no;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";
        forwarders {
                8.8.8.8;
                8.8.4.4;
                };
        forward first;
        listen-on port 53 {
                10.30.3.5;
                };
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
        type hint;
        file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

key rndc-key {
        algorithm hmac-md5;
        secret "secretpassword";
        };
controls {
        inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { rndc-key; };
        };
zone "kfs.local" IN {
        type master;
        file "/var/named/kfs.local.hosts";
        allow-update { none; };
        };
zone "10.30.3.in-addr.arpa" {
        type master;
        file "/var/named/3.30.10.rev";
        };
[root@zotac etc]#

Open in new window

LinuxDNS* CentOS

Avatar of undefined
Last Comment
hbaber

8/22/2022 - Mon
ASKER CERTIFIED SOLUTION
Chris Dent

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
M M Ali

Check your firewall rules.
hbaber

ASKER
Rookie mistake! Added DNS to public zone and clients are working.
thanks
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck